From 363b0f9f8582a7b5d9f332de72f6a7c82b9596da Mon Sep 17 00:00:00 2001
From: Michal Checinski <mchecinski@bitwarden.com>
Date: Thu, 12 Jun 2025 13:38:05 +0200
Subject: [PATCH] Add GitHub Actions workflow for staged rollout of Chrome
 extension

---
 .github/workflows/staged-rollout-browser.yml | 68 ++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 .github/workflows/staged-rollout-browser.yml

diff --git a/.github/workflows/staged-rollout-browser.yml b/.github/workflows/staged-rollout-browser.yml
new file mode 100644
index 00000000000..cd668474b79
--- /dev/null
+++ b/.github/workflows/staged-rollout-browser.yml
@@ -0,0 +1,68 @@
+name: Staged Rollout Browser Chrome
+run-name: Staged Rollout Browser Chrome - ${{ inputs.rollout_percentage }}%
+
+on:
+  workflow_dispatch:
+    inputs:
+      rollout_percentage:
+        description: 'Staged Rollout Percentage'
+        required: true
+        default: '10'
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  rollout:
+    name: Update Chrome Rollout Percentage
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Login to Azure
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve secrets
+        id: retrieve-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "CHROME_CLIENT_ID,CHROME_CLIENT_SECRET,CHROME_REFRESH_TOKEN,CHROME_EXTENSION_ID"
+
+      - name: Get OAuth token
+        id: auth
+        env:
+            CHROME_CLIENT_ID: ${{ steps.retrieve-secrets.outputs.CHROME_CLIENT_ID }}
+            CHROME_CLIENT_SECRET: ${{ steps.retrieve-secrets.outputs.CHROME_CLIENT_SECRET }}
+            CHROME_REFRESH_TOKEN: ${{ steps.retrieve-secrets.outputs.CHROME_REFRESH_TOKEN }}
+        run: |
+          ACCESS_TOKEN=$(curl -s -X POST \
+            "https://oauth2.googleapis.com/token" \
+            -H "Content-Type: application/x-www-form-urlencoded" \
+            -d "client_id=$CHROME_CLIENT_ID" \
+            -d "client_secret=$CHROME_CLIENT_SECRET" \
+            -d "refresh_token=$CHROME_REFRESH_TOKEN" \
+            -d "grant_type=refresh_token" | \
+            jq -r '.access_token')
+
+          echo "access_token=$ACCESS_TOKEN" >> $GITHUB_OUTPUT
+
+      - name: Set staged rollout percentage
+        env:
+          ROLLOUT_PCT: ${{ inputs.rollout_percentage }}
+          ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }}
+          CHROME_EXTENSION_ID: ${{ steps.retrieve-secrets.outputs.CHROME_EXTENSION_ID }}
+        run: |
+          if [[ ! $ROLLOUT_PCT =~ ^[0-9]+$ ]] || [ "$ROLLOUT_PCT" -lt 0 ] || [ "$ROLLOUT_PCT" -gt 100 ]; then
+            echo "Error: Rollout percentage must be an integer between 0 and 100."
+            exit 1
+          fi
+
+          curl -s -X POST \
+            "https://www.googleapis.com/chromewebstore/v1.1/items/${CHROME_EXTENSION_ID}/stagedRollout" \
+            -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"rolloutPercentage\": $ROLLOUT_PCT}"
+